Ultimately, I think it comes down to what the need is for each tool being considered, as Dan was alluding to. OSSEC is definitely more on the host-based IDS side (and does an awesome job at it) but if you want/need attention in the log analysis space, you may need to consider other tools (but I would say with the intention of using them alongside of OSSEC)
On Thu, Sep 27, 2012 at 12:56 PM, Jeremy Lee <[email protected]> wrote: > Several people have reported success with using OSSEC and Splunk together > as a more cost-efficient solution. > The main thing here is that OSSEC doesn't provide much of a UI for > [visually, at least] analyzing and correlating data. Sure, there's the > OSSEC WUI and a few other UIs that have been worked on as of late but there > are a lot more commercial/enterprise solutions out there. > At the end of the day, much of the "correlation" and "analysis" with OSSEC > is going to be based on how you customize the rulesets. > > If business use dictates a need for a UI with more advanced > sorting/analysis/correlation of logs and data *outside* of the command line > and running scripts to parse data, in addition to a lot of other advanced > functionality, then you'll want to considering an enterprise log monitoring > solution or SIEM. > > > On Thu, Sep 27, 2012 at 12:44 PM, tstoneami <[email protected]> wrote: > >> AWS > > >
